<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
 <HEAD>

   <TITLE>OpenStack Open Source Cloud Computing Software &raquo; Message: [Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B! </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:openstack%40lists.openstack.org?Subject=Re%3A%20%5BOpenstack%5D%20Security%20Breach%21%20Tenant%20A%20is%20seeing%20the%20VNC%0A%20Consoles%20of%20Tenant%20B%21&In-Reply-To=%3C52B837A3.3010105%40gmail.com%3E">
   <META NAME="robots" CONTENT="index,nofollow">

    <!-- Google Fonts -->
        <link href='http://fonts.googleapis.com/css?family=PT+Sans&subset=latin' rel='stylesheet' type='text/css'>

    <!-- Framework CSS -->
    <link rel="stylesheet" href="http://openstack.org/themes/openstack/css/blueprint/screen.css" type="text/css" media="screen, projection">
    <link rel="stylesheet" href="http://openstack.org/themes/openstack/css/blueprint/print.css" type="text/css" media="print">

    <!-- IE CSS -->
    <!--[if lt IE 8]><link rel="stylesheet" href="http://openstack.org/blueprint/ie.css" type="text/css" media="screen, projection"><![endif]-->

    <!-- OpenStack Specific CSS -->

    <link rel="stylesheet" href="http://openstack.org/themes/openstack/css/dropdown.css" type="text/css" media="screen, projection, print">

    <!-- Page Specific CSS -->
        <link rel="stylesheet" href="http://openstack.org/themes/openstack/css/home.css" type="text/css" media="screen, projection, print">

  <link rel="stylesheet" type="text/css" href="http://openstack.org/themes/openstack/css/main.css?m=1335457934" />
  <script type="text/javascript">

    var _gaq = _gaq || [];
    _gaq.push(['_setAccount', 'UA-17511903-1']);
    _gaq.push(['_setDomainName', '.openstack.org']);
    _gaq.push(['_trackPageview']);

    (function() {
      var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
      ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
      var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
    })();

  </script>
   <style type="text/css">
       pre {
           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
           }
   </style>
   <META http-equiv="Content-Type" content="text/html; charset=utf-8">
   <LINK REL="Previous"  HREF="004120.html">
   <LINK REL="Next"  HREF="004140.html">
 </HEAD>
 <BODY>
   <div class="container">
                <div id="header">
                        <div class="span-5">
                                <h1 id="logo"><a href="/">Open Stack</a></h1>
                        </div>
                        <div class="span-19 last blueLine">

                                <div id="navigation" class="span-19">
                                        <ul id="Menu1">
                <li><a href="http://openstack.org/" title="Go to the Home page" class="link" >Home</a></li>
 
                <li><a href="http://openstack.org/projects/" title="Go to the OpenStack Projects page" class="link">Projects</a></li>

                <li><a href="http://openstack.org/user-stories/" title="Go to the User Stories page" class="link">User Stories</a></li>

                <li><a href="http://openstack.org/community/" title="Go to the Community page" class="current">Community</a></li>

                                                  <li><a href="http://openstack.org/blog/" title="Go to the OpenStack Blog">Blog</a></li>
                                                  <li><a href="http://wiki.openstack.org/" title="Go to the OpenStack Wiki">Wiki</a></li>
                                                  <li><a href="http://docs.openstack.org/" title="Go to OpenStack Documentation">Documentation</a></li>
                                        </ul>


                                </div>

                        </div>
                </div>
        </div>
        <!-- Page Content -->

    <div class="container">
   <H1>[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!</H1>
    <B>Jay Pipes</B> 
    <A HREF="mailto:openstack%40lists.openstack.org?Subject=Re%3A%20%5BOpenstack%5D%20Security%20Breach%21%20Tenant%20A%20is%20seeing%20the%20VNC%0A%20Consoles%20of%20Tenant%20B%21&In-Reply-To=%3C52B837A3.3010105%40gmail.com%3E"
       TITLE="[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!">jaypipes at gmail.com
       </A><BR>
    <I>Mon Dec 23 13:16:19 UTC 2013</I>
    <P><UL>
        <LI>Previous message: <A HREF="004120.html">[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of	Tenant B!
</A></li>
        <LI>Next message: <A HREF="004140.html">[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#4138">[ date ]</a>
              <a href="thread.html#4138">[ thread ]</a>
              <a href="subject.html#4138">[ subject ]</a>
              <a href="author.html#4138">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>On 12/22/2013 12:37 PM, Martinx - ジェームズ wrote:
&gt;<i> Stackers!
</I>&gt;<i>
</I>&gt;<i> I need a bit help here...
</I>&gt;<i>
</I>&gt;<i> My OpenStack Havana (Ubuntu 12.04.3) was working smoothly and, I don't
</I>&gt;<i> know what had happened here but, now, I'm seeing some weird problems.
</I>&gt;<i>
</I>&gt;<i> Right now, the &quot;Tenant A&quot; is seeing the VNC Consoles of &quot;Tenant B&quot; !!!
</I>&gt;<i>
</I>&gt;<i> How is that even possible?! There is no authentication here to deal with
</I>&gt;<i> this kind of things!? I'm really worried about this.
</I>&gt;<i>
</I>&gt;<i> Look:
</I>&gt;<i>
</I>&gt;<i> &quot;Tenant A&quot; Instances:
</I>&gt;<i>
</I>&gt;<i> Inline images 1
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> &quot;Tenant A&quot; accessing the VNC Console of a &quot;Tenant B&quot; Instance!!!
</I>&gt;<i>
</I>&gt;<i> Inline images 2
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> This is a very serious problem, since I'm giving to the &quot;Tenant A&quot;,
</I>&gt;<i> almost total access to &quot;Tenant B&quot; Instances!! This kind of situation
</I>&gt;<i> should NEVER occur!
</I>&gt;<i>
</I>&gt;<i> What can I do to completely block this?
</I>&gt;<i>
</I>&gt;<i> I just started a new Instance for &quot;Tenant A&quot;, and I'm seeing ANOTHER VNC
</I>&gt;<i> Console from &quot;Tenant B&quot;!!
</I>
Thiago, yes, this is indeed a major security breach. If you have not 
already, please create a bug in Launchpad with your image attachments 
and a description to reproduce the bug if you can. Please mark the bug 
as a security/private bug.

Thank you!
-jay



</PRE>

<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="004120.html">[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of	Tenant B!
</A></li>
	<LI>Next message: <A HREF="004140.html">[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#4138">[ date ]</a>
              <a href="thread.html#4138">[ thread ]</a>
              <a href="subject.html#4138">[ subject ]</a>
              <a href="author.html#4138">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">More information about the Openstack
mailing list</a><br>

<div class="container">
<hr>
        <div id="footer">
                <div class="span-4">
                        <h3>OpenStack</h3>
                        <ul>
                                <li><a href="http://openstack.org/projects/">Projects</a></li>
                                <li><a href="http://openstack.org/openstack-security/">OpenStack Security</a></li>
                                <li><a href="http://openstack.org/projects/openstack-faq/">Common Questions</a></li>
                                <li><a href="http://openstack.org/blog/">Blog</a></li>
                        </ul>
                </div>
               <div class="span-4">
                        <h3>Community</h3>
                        <ul>
                                <li><a href="http://openstack.org/community/">User Groups</a></li>
                                <li><a href="http://openstack.org/events/">Events</a></li>
                                <li><a href="http://openstack.org/jobs/">Jobs</a></li>
                                <li><a href="http://openstack.org/companies/">Companies</a></li>
                                <li><a href="http://wiki.openstack.org/HowToContribute">Contribute</a></li>
                        </ul>
                </div>
                <div class="span-4">
                        <h3>Documentation</h3>
                        <ul>
                                <li><a href="http://docs.openstack.org/">OpenStack Manuals</a></li>
                                <li><a href="http://docs.openstack.org/diablo/openstack-compute/starter/content/">Getting Started</a></li>
                                <li><a href="http://wiki.openstack.org/">Wiki</a></li>
                        </ul>
                </div>
                <div class="span-4 last">
                        <h3>Branding &amp; Legal</h3>
                        <ul>
                                <li><a href="http://openstack.org/brand/">Logos &amp; Guidelines</a></li>
                                <li><a href="http://openstack.org/brand/openstack-trademark-policy/">Trademark Policy</a></li>
                                <li><a href="http://openstack.org/privacy/">Privacy Policy</a></li>
                                <li><a href="http://wiki.openstack.org/CLA">OpenStack CLA</a></li>
                        </ul>
                </div>
                <hr>
        </div>
</div>
</div>

</body></html>
